phpBB Future Security?

mkruer · Post by **mkruer** » Wed Feb 25, 2009 9:28 am

First of all, sorry to hear about the hack. I am late to the game as usual, but I have some questions about future development when it comes to security.

I know a while back I brought up the idea of using hidden login/username, names that are unique but are not referenced anywhere outside of the original login. The general idea as that people do not and should not know others login/username. Because the login/username is no longer used as a descriptor, the same hashing rules can be applied to it as a password so in effect you have a double password scheme. If someone were able to get into the database, not only would they have to crack the password, but they would also need to crack the username as well; adding an additional level of security. This should be relatively easy to accomplish if there is a willingness to support this in the future.

Another idea is that hashing can also be applied to e-mails addresses, but it because a bit trickier, because the e-mails need to have the ability to be reversed. Lately I have had to use PGP to secure laptops. The first part of the process is to create a master password and then encrypt the contents of the drive. Once this is accomplished, then user keys can be associated with the master password to get into the system without having to use the master password again. So using this logic, would it be reasonably possible to as hash protect the e-mails addresses as well?

onehundredandtwo · Post by **onehundredandtwo** » Wed Feb 25, 2009 9:52 am

mkruer wrote:First of all, sorry to hear about the hack. I am late to the game as usual, but I have some questions about future development when it comes to security.

The hack was phpList and not at all related to phpBB.

mkruer wrote:I know a while back I brought up the idea of using hidden login/username, names that are unique but are not referenced anywhere outside of the original login. The general idea as that people do not and should not know others login/username. Because the login/username is no longer used as a descriptor, the same hashing rules can be applied to it as a password so in effect you have a double password scheme. If someone were able to get into the database, not only would they have to crack the password, but they would also need to crack the username as well; adding an additional level of security. This should be relatively easy to accomplish if there is a willingness to support this in the future.

If the user never posted and the username was ciphered then it would work, it would only really ever be useful to an admin though. If you really wanted to be secure then you could create a PHP script that only allows you to login as an admin if you are from your IP Address.

mkruer wrote:Another idea is that hashing can also be applied to e-mails addresses, but it because a bit trickier, because the e-mails need to have the ability to be reversed. Lately I have had to use PGP to secure laptops. The first part of the process is to create a master password and then encrypt the contents of the drive. Once this is accomplished, then user keys can be associated with the master password to get into the system without having to use the master password again. So using this logic, would it be reasonably possible to as hash protect the e-mails addresses as well?

I guess it could but that adds yet another layer of complexity to phpBB that many users do not agree with. Email addresses aren't something you should really be too worried about, most users sign up with a Hotmail and it is very easy to change email addresses if the email address is spammed.

Interesting topic though, perhaps in the future some of these ideas may be put into action.

Kellanved · Post by **Kellanved** » Wed Feb 25, 2009 9:58 am

Login names other than the displayed usernames are under consideration, although they might have done more harm than good in the scenario we encountered. They would be more a convenience than a security feature.

Encrypting email addresses is pretty much impossible, as the encryption has to be - as you say - reversible. Thus an attacker could extract all information required for decrypting from the database and/or the filesystem.

Techie-Micheal · Post by **Techie-Micheal** » Wed Feb 25, 2009 3:36 pm

As stated, the problem wasn't with phpBB. While we (yes, we

) are always working to improve the security of phpBB, phpBB3 has made gigantic leaps ahead in terms of secure coding techniques and so on. Encrypting emails, while seems like a good idea, comes with the problem of requiring a key. Where's that key stored? In the database or config file, both things that the attacker can readily access and be on his or her merry way.

mkruer · Post by **mkruer** » Wed Feb 25, 2009 6:56 pm

I understand that it was not phpbb that was hacked; however that is not the point. The point that I was trying to make is that a database is only as secure as the weakest link, so we have to assume that someone will be able to read anything stored in the database verbatim. Using this logic, key data fields need to be protected beyond plain text. As a thought experiment, how could we reasonably encrypt the sensitive data.

As a though experiment how would we implement such a system. As stated above, the problem is that the password needs to be somewhat transient in nature. It can not remain in the file system nor the database.

Could the password be stored as a cron job, in memory of the server, and update/replaced every login with a rotating password.

ChrisRLG · Post by **ChrisRLG** » Wed Feb 25, 2009 7:47 pm

mkruer

For the forum software to be able to retrieve the email data - such as to send notification emails - it would need to be able to decrypt the data, if so it has to store that key somewhere, if it does it might just as well have the data in clear, as any hacker worth his salt will be able to access it all.

The same goes for the password to the database etc - unless the software can access a password it cannot do anything. Storing in encrypted form is just not possible.

Techie-Micheal · Post by **Techie-Micheal** » Wed Feb 25, 2009 10:04 pm

Storing it in RAM is not that much more difficult to retrieve the information. Besides, RAM is called volatile storage for a reason.

mkruer · Post by **mkruer** » Fri Feb 27, 2009 8:34 pm

ChrisRLG wrote:mkruer

For the forum software to be able to retrieve the email data - such as to send notification emails - it would need to be able to decrypt the data, if so it has to store that key somewhere, if it does it might just as well have the data in clear, as any hacker worth his salt will be able to access it all.

The same goes for the password to the database etc - unless the software can access a password it cannot do anything. Storing in encrypted form is just not possible.

I understand that, but is it possible to come up with a transient key, one the shifts upon access? Let me see if I can explain this. You have a master key for the e-mails which is static. You then create a process key similar to a sid that allows accesses to the master key and then to the e-mails. The sid/key would shift and update upon access. The general idea is that the key keeps moving around more frequently then the time it would take to grab the contents of the database, so by the time the hacker got the key, it would be invalidated.

Dog Cow · Post by **Dog Cow** » Fri Feb 27, 2009 8:49 pm

If the hacker has gotten so far as to be able to access an internal key, then something else earlier has failed. And that should probably be the primary focus instead.

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Fri Feb 27, 2009 9:28 pm

I agree, if the hacker has access to the database at all, then you have more problems than worrying about the email or usernames and passwords.
once you have access to the database that usually means that you have access to everything on the server.

the only real problem with what the hacker did here at phpbb.com was just the fact that some people may have used the same username/passwords for more sensitive logins used elsewhere.

other than the staff, the rest of the members here would not be impacted in any serious way by someone having our login info for phpbb.com.

robert

Nelsaidi · Post by **Nelsaidi** » Fri Feb 27, 2009 11:04 pm

Yeah, as said, first for encrypting Emails, this has to be reversible. Yes it can be made hard to gain of, but is possible, there are many things in an email which will give away parts of the pattern (if any), and in many cases, access to the database is made after the file server, access to the file server means able to decrypt (there are exceptions, such as built in cyphers which are unique). Second of all, the Login name and Username is to some extent a good idea, although im sure many people like me would use the same for both, else it sucks, I want to use Nelsaidi tbh. My password is strong me thinks, containing upper cases, lower cases, numbers and symbols, and is long, thats secure.

Techie-Micheal · Post by **Techie-Micheal** » Sat Feb 28, 2009 1:11 am

nelsaidi wrote:Yeah, as said, first for encrypting Emails, this has to be reversible. Yes it can be made hard to gain of, but is possible, there are many things in an email which will give away parts of the pattern (if any), and in many cases, access to the database is made after the file server, access to the file server means able to decrypt (there are exceptions, such as built in cyphers which are unique). Second of all, the Login name and Username is to some extent a good idea, although im sure many people like me would use the same for both, else it sucks, I want to use Nelsaidi tbh. My password is strong me thinks, containing upper cases, lower cases, numbers and symbols, and is long, thats secure.

The definition of encryption is that it is reversible.

mkruer · Post by **mkruer** » Sat Feb 28, 2009 1:13 am

Well this is a vetting process in the realm of ideas. Just trying to think outside of the box. Just because the hacker can get to the data, doesn't mean that there can be additional roadblocks to them reading the data. The question is how much is reasonable?

I mean that there could be something convoluted like session key pre thread. The e-mails would be encrypted globally with the usersname/password and its only when the user posts that it decrypts and encrypts it with the thread encryption. This of course would mean adding overhead to the post because now all the e-mails would have to be stored on a thread by thread basis. However if the database was hacked now the hacker needs to decrypt all the threads to get to the e-mails.

If nothing comes from it, oh well. However i do hope that others start thinking outside the box

Techie-Micheal · Post by **Techie-Micheal** » Sat Feb 28, 2009 2:02 am

mkruer wrote:Well this is a vetting process in the realm of ideas. Just trying to think outside of the box.

Of course.

I meant to reply with more, but somehow I didn't and pushed submit anyway. What I meant to say was this:

It is possible to encrypt things in a database (PCI requirements, for example), but it requires more of an infrastructure than what the phpBB software can provide.

advertisements